Nine months after a whistleblower revealed Facebook had allowed outsiders to improperly access personal information about millions of its users, the social media giant faced its first major rebuke from regulators in the United States -- a lawsuit filed by the attorney general of the District of Columbia.

The lawsuit from Karl Racine on Wednesday targeted Facebook mainly for its entanglement with Cambridge Analytica, a political consultancy that harvested names, “likes” and other data from the social site without users’ permission. The incident, which affected more than 87 million users beginning in 2014, came to light this March, sparking investigations around the world.

The opening salvo from the D.C. attorney general ended a protracted silence on the part of many U.S. regulators, who have faced immense pressure -- from members of Congress and average web users -- to discipline Facebook for what many see as a reckless disregard for online privacy. Some of Silicon Valley’s toughest critics have urged the government to slap Facebook with severe fines and other penalties that might force it to rethink a business model that monetizes the most intimate details of consumers’ lives.

“It’s about time,” said Christopher Wylie, who exposed the Cambridge Analytica controversy through reports in several news organizations.

But the fact that the first legal action came from local D.C. officials -- not their federal counterparts located a short ten minutes’ walk away -- left some privacy advocates fearful that the U.S. government’s primary consumer-protection cop increasingly is outmatched by Silicon Valley. That agency, the Federal Trade Commission, started investigating the Cambridge Analytica controversy weeks after it became public out of concern that Facebook violated a pledge it made to regulators to honor its users’ privacy settings. On Wednesday, spokespeople at the FTC again declined to comment on their progress.

"The agency needs to show us that it can stand up to Big Tech," said Hal Singer, a senior fellow at George Washington University's Institute of Public Policy.

Asked about the lawsuit, Facebook said in a statement Wednesday it is "reviewing the complaint and [looks] forward to continuing our discussions with attorneys general in D.C. and elsewhere.” Facebook’s stock price closed down more than 7 percent Wednesday.

The D.C. case threatens to develop into an even worse headache for Facebook. Racine told reporters that his office has “had discussions with a number of other states that are similarly interested in protecting the data and personal information of their consumers,” though he cautioned there is no formal agreement for them to proceed jointly. And the attorney general’s aides said they could add additional charges to their lawsuit as other details about Facebook’s privacy lapses become public.

In the months since the Cambridge Analytica scandal began, Facebook has fielded considerable criticism for a series of privacy missteps. Last week, Facebook admitted that as many as 6.8 million users' photos may have been improperly accessed by third-party apps. On Tuesday, new details emerged about Facebook’s extensive data-sharing arrangements with corporate partners including Amazon and Spotify. The report from The New York Times quickly triggered another round of calls from Capitol Hill for the tech giant to be penalized.

“It appears that Facebook has not been honest with Congress or the public about how it treats its users’ data,” said New Jersey Rep. Frank Pallone, the incoming Democratic chairman of the tech-focused House Energy and Commerce Committee. “Based on these revelations, I’m concerned that Facebook may have provided the Committee with inaccurate, incomplete, or misleading responses to our questions, and we’ll be following-up.”

Facebook’s troubles with Cambridge Analytica came to light in March, after Wylie revealed that the political firm sought to create “psychographic” profiles about social-media users -- using their Facebook data -- and target them with messages that preyed on their hopes and fears. Among those affected were half of all D.C. residents, said Racine, the district’s attorney general, when he announced his lawsuit in a call with reporters. Citing the region’s consumer-protection law, Racine contended that Facebook misled users about the security of their data, made it difficult for users to control their privacy settings and failed to inform them promptly after discovering Cambridge Analytica improperly accessed personal information.

“Facebook’s lax oversight of its privacy protocols and confusing privacy settings put the personal information of millions of Americans at risk,” Racine said.

The D.C. lawsuit also took issue with other business practices at Facebook, including its relationships with device-makers such as BlackBerry that could access social data in ways that could “override” a user’s privacy settings, according to the complaint. In response, the attorney general’s office said the District sought an injunction to “ensure Facebook puts in place protocols and safeguards to monitor users’ data,” along with “restitution for consumers, penalties, and costs.”

While D.C. takes aim at Facebook, federal regulators remained quiet about their next steps. The Cambridge Analytica controversy initially drew the attention of multiple agencies -- the Securities and Exchange Commission, the Federal Trade Commission and the Justice Department. The FTC in particular has probed whether Facebook’s relationship with Cambridge Analytica -- and its handling of users’ data -- violated a 2011 agreement brokered by the U.S. government that required the tech giant to improve its privacy practices or risk major fines. The penalty, which is assessed based on the total number of violations and users affected, could reach into the billions of dollars, experts have said.

In recent weeks, though, FTC Chairman Joe Simons repeatedly has declined to update members of Congress about the probe -- or the extent to which the government has started studying Facebook’s other privacy mishaps. Appearing at a Senate hearing in November, Simons said it would be “inappropriate for me to comment on a specific non-public investigation” -- even though the FTC itself previously confirmed it is investigating.

The FTC’s silence did little to satisfy Democratic Sen. Richard Blumenthal (Conn.). “We need to know when you will have some results because these continuing violations clearly show we have something more than a single bad actor problem, and it is not only Facebook,” he said at the time. “I think you have an obligation to tell us when you think this investigation will be done.”

Veterans of the FTC -- which tends to operate in secrecy -- acknowledged the agency can take upwards of a year to probe a violation fully, and that the scope of investigations can expand as new information emerges. But analysts said the commission faces a major, time-sensitive test with Facebook: Should the FTC fail to act swiftly against the social-media giant, at a moment when its privacy mishaps are piling up, the agency could find itself weakened in its ability to hold the rest of Silicon Valley accountable.

“The stakes are extremely high for the agency,” said Marshall Steinbaum, research director at the New York-based Roosevelt Institute, a left-leaning think tank. “The companies want Congress to empower the FTC as the sole arbiter of privacy issues. If the companies can run the table on them ... then we can’t seriously entertain the idea that this agency is capable of regulating the sector.”

Comments

Tony RommTony Romm is a technology policy reporter at The Washington Post. He has spent nearly ten years covering the ways that tech companies like Apple, Facebook and Google navigate the corridors of government -- and the regulations that sometimes result. Follow

Brian FungBrian Fung covers business and technology for The Washington Post. Before joining The Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic. Follow

Aaron C. DavisAaron Davis is an investigative reporter who has covered local, state and federal government, as well as the aviation industry and law enforcement. Davis shared in winning the Pulitzer Prize for Investigative Reporting in 2018. Follow

Craig TimbergCraig Timberg is a national technology reporter for The Washington Post. Since joining The Post in 1998, he has been a reporter, editor and foreign correspondent, and he contributed to The Post’s Pulitzer Prize-winning coverage of the National Security Agency. Follow